diff options
author | Thomas Fanninger | 2016-09-29 16:59:58 +0200 |
---|---|---|
committer | Thomas Fanninger | 2016-09-29 16:59:58 +0200 |
commit | fa20e49e976fed5c5fe409c2f4981fdd513ad2c2 (patch) | |
tree | 5485260e87b710db875157fbc48f9681ad56ddfb | |
parent | 552fedb541582cfc8523a686208db6cd58a0eed8 (diff) | |
download | aur-fa20e49e976fed5c5fe409c2f4981fdd513ad2c2.tar.gz |
Add migration from user www-data to http
-rw-r--r-- | .SRCINFO | 14 | ||||
-rw-r--r-- | PKGBUILD | 14 | ||||
-rw-r--r-- | caddy-full-bin.install | 13 | ||||
-rw-r--r-- | caddy-systemd-service.patch | 29 | ||||
-rw-r--r-- | caddy_new.service | 46 | ||||
-rw-r--r-- | caddy_old.service | 46 |
6 files changed, 131 insertions, 31 deletions
@@ -1,9 +1,9 @@ # Generated by mksrcinfo v8 -# Thu Sep 29 12:04:13 UTC 2016 +# Thu Sep 29 14:59:33 UTC 2016 pkgbase = caddy-full-bin pkgdesc = A configurable, general-purpose HTTP/2 web server for any platform (All features enabled) pkgver = 0.9.3 - pkgrel = 2 + pkgrel = 4 url = https://caddyserver.com install = caddy-full-bin.install arch = i686 @@ -11,8 +11,8 @@ pkgbase = caddy-full-bin arch = armv7h arch = aarch64 license = Apache + makedepends = patch depends = systemd>=229 - depends = patch provides = caddy conflicts = caddy conflicts = caddy-git @@ -20,19 +20,19 @@ pkgbase = caddy-full-bin source_i686 = caddy.tar.gz::https://caddyserver.com/download/build?os=linux&features=awslambda,cors,filemanager,git,hugo,ipfilter,jwt,locale,mailout,minify,multipass,prometheus,ratelimit,realip,search,upload,cloudflare,digitalocean,dnsimple,dyn,gandi,googlecloud,namecheap,rfc2136,route53,vultr&arch=386 source_i686 = caddy-systemd-service.patch md5sums_i686 = SKIP - md5sums_i686 = 61c39378589e5c59314e7a157fbf9a53 + md5sums_i686 = bb3b2b3e58fe090a298e3d20b6f2597b source_x86_64 = caddy.tar.gz::https://caddyserver.com/download/build?os=linux&features=awslambda,cors,filemanager,git,hugo,ipfilter,jwt,locale,mailout,minify,multipass,prometheus,ratelimit,realip,search,upload,cloudflare,digitalocean,dnsimple,dyn,gandi,googlecloud,namecheap,rfc2136,route53,vultr&arch=amd64 source_x86_64 = caddy-systemd-service.patch md5sums_x86_64 = SKIP - md5sums_x86_64 = 61c39378589e5c59314e7a157fbf9a53 + md5sums_x86_64 = bb3b2b3e58fe090a298e3d20b6f2597b source_armv7h = caddy.tar.gz::https://caddyserver.com/download/build?os=linux&features=awslambda,cors,filemanager,git,hugo,ipfilter,jwt,locale,mailout,minify,multipass,prometheus,ratelimit,realip,search,upload,cloudflare,digitalocean,dnsimple,dyn,gandi,googlecloud,namecheap,rfc2136,route53,vultr&arch=arm source_armv7h = caddy-systemd-service.patch md5sums_armv7h = SKIP - md5sums_armv7h = 61c39378589e5c59314e7a157fbf9a53 + md5sums_armv7h = bb3b2b3e58fe090a298e3d20b6f2597b source_aarch64 = caddy.tar.gz::https://caddyserver.com/download/build?os=linux&features=awslambda,cors,filemanager,git,hugo,ipfilter,jwt,locale,mailout,minify,multipass,prometheus,ratelimit,realip,search,upload,cloudflare,digitalocean,dnsimple,dyn,gandi,googlecloud,namecheap,rfc2136,route53,vultr&arch=arm64 source_aarch64 = caddy-systemd-service.patch md5sums_aarch64 = SKIP - md5sums_aarch64 = 61c39378589e5c59314e7a157fbf9a53 + md5sums_aarch64 = bb3b2b3e58fe090a298e3d20b6f2597b pkgname = caddy-full-bin @@ -9,7 +9,7 @@ _features=('awslambda' 'cors' 'filemanager' 'git' 'hugo' 'ipfilter' 'jwt' 'local pkgname=caddy-full-bin _realname=caddy pkgver=0.9.3 -pkgrel=3 +pkgrel=4 pkgdesc="A configurable, general-purpose HTTP/2 web server for any platform (All features enabled)" arch=('i686' 'x86_64' 'armv7h' 'aarch64') url="https://caddyserver.com" @@ -19,13 +19,13 @@ conflicts=('caddy' 'caddy-git' 'caddy-all-features') depends=('systemd>=229') makedepends=('patch') md5sums_i686=('SKIP' - '61c39378589e5c59314e7a157fbf9a53') + 'bb3b2b3e58fe090a298e3d20b6f2597b') md5sums_x86_64=('SKIP' - '61c39378589e5c59314e7a157fbf9a53') + 'bb3b2b3e58fe090a298e3d20b6f2597b') md5sums_armv7h=('SKIP' - '61c39378589e5c59314e7a157fbf9a53') + 'bb3b2b3e58fe090a298e3d20b6f2597b') md5sums_aarch64=('SKIP' - '61c39378589e5c59314e7a157fbf9a53') + 'bb3b2b3e58fe090a298e3d20b6f2597b') install='caddy-full-bin.install' # expand the feature array @@ -40,11 +40,11 @@ source_armv7h=("caddy.tar.gz::${_url_prefix}&arch=arm" "caddy-systemd-service.pa source_aarch64=("caddy.tar.gz::${_url_prefix}&arch=arm64" "caddy-systemd-service.patch") prepare() { - patch -p0 -i caddy-systemd-service.patch + msg2 "Patching systemd service file" + patch -Np1 -i "$srcdir/caddy-systemd-service.patch" "${srcdir}/init/linux-systemd/caddy.service" } package() { - echo "Migration guide for caddy <0.9: https://github.com/klingtnet/caddy-AUR/blob/master/README.md" install -Dm755 "${srcdir}/caddy" "${pkgdir}/usr/bin/caddy" install -Dm644 "${srcdir}/init/linux-systemd/caddy.service" "${pkgdir}/usr/lib/systemd/system/caddy.service" install -Dm644 "${srcdir}/init/linux-systemd/README.md" "${pkgdir}/usr/share/doc/${_realname}/service.txt" diff --git a/caddy-full-bin.install b/caddy-full-bin.install index 67f7a9567412..abafe456684f 100644 --- a/caddy-full-bin.install +++ b/caddy-full-bin.install @@ -1,6 +1,5 @@ post_install() { - getent passwd www-data || useradd --system --shell /usr/bin/nologin www-data - mkdir -p /etc/ssl/caddy && chown -R www-data:www-data /etc/ssl/caddy + mkdir -p /etc/ssl/caddy && chown -R http:http /etc/ssl/caddy } pre_upgrade() { @@ -9,6 +8,16 @@ pre_upgrade() { post_upgrade() { systemctl daemon-reload + if [ $(vercmp $2 0.9.3-4) -lt 0 ]; then + userdel -r -f www-data + groupdel www-data + + chown -R http:http /etc/ssl/caddy + + echo "Migration guide for caddy <0.9: https://github.com/klingtnet/caddy-AUR/blob/master/README.md" + echo "With the package level 0.9.3-4 the caddy user is changed from 'www-data' to 'http'." + echo "You need to update the right for your caddy web directory with 'chown -R http:http <web-root>'" + fi } pre_remove() { diff --git a/caddy-systemd-service.patch b/caddy-systemd-service.patch index 779703c9247d..3f85f13f9988 100644 --- a/caddy-systemd-service.patch +++ b/caddy-systemd-service.patch @@ -1,15 +1,14 @@ ---- init/linux-systemd/caddy.service 2016-09-28 21:07:57.000000000 +0200 -+++ init/linux-systemd/caddy.service.patched 2016-09-29 13:51:35.533691718 +0200 -@@ -38,9 +38,9 @@ - ; The following additional security directives only work with systemd v229 or later. - ; They further retrict privileges that can be gained by caddy. Uncomment if you like. - ; Note that you may have to add capabilities required by any plugins in use. --;CapabilityBoundingSet=CAP_NET_BIND_SERVICE --;AmbientCapabilities=CAP_NET_BIND_SERVICE --;NoNewPrivileges=true -+CapabilityBoundingSet=CAP_NET_BIND_SERVICE -+AmbientCapabilities=CAP_NET_BIND_SERVICE -+NoNewPrivileges=true - - [Install] - WantedBy=multi-user.target +11,12c11,12 +< User=www-data +< Group=www-data +--- +> User=http +> Group=http +41,43c41,43 +< ;CapabilityBoundingSet=CAP_NET_BIND_SERVICE +< ;AmbientCapabilities=CAP_NET_BIND_SERVICE +< ;NoNewPrivileges=true +--- +> CapabilityBoundingSet=CAP_NET_BIND_SERVICE +> AmbientCapabilities=CAP_NET_BIND_SERVICE +> NoNewPrivileges=true diff --git a/caddy_new.service b/caddy_new.service new file mode 100644 index 000000000000..9b840276c8c3 --- /dev/null +++ b/caddy_new.service @@ -0,0 +1,46 @@ +[Unit] +Description=Caddy HTTP/2 web server +Documentation=https://caddyserver.com/docs +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +[Service] +Restart=on-failure + +; User and group the process will run as. +User=http +Group=http + +; Letsencrypt-issued certificates will be written to this directory. +Environment=HOME=/etc/ssl/caddy + +; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. +ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp +ExecReload=/bin/kill -USR1 $MAINPID + +; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. +LimitNOFILE=1048576 +; Unmodified caddy is not expected to use more than that. +LimitNPROC=64 + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev +PrivateDevices=true +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full +; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. +; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! +ReadWriteDirectories=/etc/ssl/caddy + +; The following additional security directives only work with systemd v229 or later. +; They further retrict privileges that can be gained by caddy. Uncomment if you like. +; Note that you may have to add capabilities required by any plugins in use. +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target diff --git a/caddy_old.service b/caddy_old.service new file mode 100644 index 000000000000..536cb3a192f5 --- /dev/null +++ b/caddy_old.service @@ -0,0 +1,46 @@ +[Unit] +Description=Caddy HTTP/2 web server +Documentation=https://caddyserver.com/docs +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +[Service] +Restart=on-failure + +; User and group the process will run as. +User=www-data +Group=www-data + +; Letsencrypt-issued certificates will be written to this directory. +Environment=HOME=/etc/ssl/caddy + +; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. +ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp +ExecReload=/bin/kill -USR1 $MAINPID + +; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. +LimitNOFILE=1048576 +; Unmodified caddy is not expected to use more than that. +LimitNPROC=64 + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev +PrivateDevices=true +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full +; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. +; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! +ReadWriteDirectories=/etc/ssl/caddy + +; The following additional security directives only work with systemd v229 or later. +; They further retrict privileges that can be gained by caddy. Uncomment if you like. +; Note that you may have to add capabilities required by any plugins in use. +;CapabilityBoundingSet=CAP_NET_BIND_SERVICE +;AmbientCapabilities=CAP_NET_BIND_SERVICE +;NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target |